OAuth re-auth for `claude agents` fails with ECONNREFUSED on `org:create_api_key` scope
Describe the bug
When opening claude agents (the interactive TUI), the CLI launches an OAuth re-authorization flow requesting the org:create_api_key scope (which the standard /login flow does not include). After approving in the browser at claude.com/cai/oauth/authorize, the redirect lands on platform.claude.com/oauth/code/callback and returns a code#state string. When that code is pasted (or auto-consumed) back into the CLI, the UI shows:
Login
OAuth error: ECONNREFUSED
Press Enter to retry.
Esc to cancel.
Retrying loops back to the same error.
What I verified locally (so it's not the obvious things)
- Network is fine —
curltoclaude.com,platform.claude.com,api.anthropic.com,claude.com/cai/oauth/authorize(→ 307),claude.com/cai/oauth/token(→ 405 on empty POST, i.e. endpoint is reachable) all succeed over IPv4 and IPv6. - No proxy env vars, no
/etc/hostsoverrides for claude/anthropic, no Little Snitch / LuLu running. - Standard
/loginworks and refreshes the token, but the resulting token only carries the regular scopes (user:profile, user:inference, user:mcp_servers, user:sessions:claude_code, user:file_upload) —org:create_api_keyis never granted. - Reproduces on both 2.1.148 and 2.1.150 with identical OAuth URL (same
client_id, samecode_challenge, onlystatediffers across attempts) — so it's not a version regression in the binary. - Daemon IPC socket (
/tmp/cc-daemon-501/<id>/control.sock) responds healthy to{"op":"ping"}.
This makes me think the failure is on the code→token exchange path for the extended scope, possibly server-side.
Repro
- Be already logged in with the standard
/login(noorg:create_api_keyscope). - Run
claude agents. - Approve in the browser when the URL pops up.
- Result:
OAuth error: ECONNREFUSED.
Environment
- Claude Code:
2.1.150(also reproduces on2.1.148) - OS: macOS Darwin 25.3.0 (arm64, M4)
- Shell: zsh
Workaround
Existing background agents are unaffected — they can be listed with claude agents --json and resumed with claude --resume <sessionId>. Only the interactive claude agents TUI is blocked.
This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗